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NETWORK POLICY DISTRIBUTION 



TECHNICAL FIELD 



This invention relates to network policy distribution. 
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For two computers to communicate with each other over a 
network, the network systems on the two computers typically 
are configured so that they are compatible. For example, if 
two computers are to encrypt data communicated between them, 
both computers may use the same encryption and decryption 
methods. For small networks with simple computers, an 
operator may manually configure the network systems at each of 
the computers . 

Alternatively, a policy server computer on the network 
may configure the network systems of the computers on the 
network. The network configuration data for the computers are 
stored in policy files or in a policy database on the policy 
server. The policy server configures the network systems of 
the computers by transmitting configuration data from the 
policy files or database to the computers. Policy clients on 
the computers may then change the network configuration of the 
computers using the transmitted configuration data. 

For a policy client to configure a network system using a 
policy file, the policy file is typically formatted in a 
particular way. The rules for formatting a policy file are 
referred to as a schema. Different clients may require 
different policy files formatted according to different 
schema s . 

DESCRIPTION OF DRAWINGS 

FIG. 1 is a block diagram of a network of computers 
according to the invention; 

FIG. 2 shows a first part of a network policy according 
to a first version; 
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FIG. 2 shows a first part of a network policy according 
to a first version; 

FIG. 3 shows a schema of the first version of the network 
policy; 

FIG. 4 shows a schema of a second version of a network 
policy; 

FIG. 5A shows a second part of the network policy of FIG. 
2 and a translation specification; 

FIG. 5B shows a translated version of the network policy 
of FIG. 1; 

FIG. 6 is a flow chart of the process implemented by the 
server of FIG. 1; 

FIG. 7A is a flow chart of the process implemented by one 
of the clients of FIG. 1; and 

FIG. 7B is a flow chart of the process implemented by 
another one of the clients of FIG. 1. 

DETAILED DESCRIPTION 

As shown in FIG. 1, a network 10 connects client 
computers 12, 14, 16 to a server 18. The server 18 has a 
processor 2 0 for executing computer programs, a network 
interface 24 for communicating over the network 10, and a 
storage subsystem 22. Storage subsystem 22 may include a 
CDROM drive, floppy disk, hard disk, hard disk array, memory, 
and so on. Processor 20 may cause the network clients 12-16 
to change their network configurations by. executing policy 
server 26 software, stored within storage subsystem 22. 

Policy server software 26 is associated with a network 
policy 30, which includes a particular version 34 of a network 
configuration 32 and a timestamp 35 indicating the time that 
the network configuration 32 was created. The network 
configuration 32 is used to configure the clients 12, 14, 16. 
The clients 12, 14, 16 may differ from each other, for 
example, because they are from different manufacturers or have 
different operating systems. Consequently the clients may 
require different versions of the network configuration 32. 
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The policy 30 includes a specification 36 for translating the 
network configuration 32 from the particular version 34 to 
another version of the policy that may be required by the 
clients 12, 14, 16. The policy 3 0 may contain multiple 
translation specifications 36 to allow the policy to be 
translated into many different versions. 

The policy server software 26 also includes a policy 
transmitter 40 that transmits the policy 30 over the network 
10 to the client computers 12, 14, 16 and a policy translator 
42 that can be used to translate the network configuration 32 
using the translation specification 36 for client computers 16 
that cannot do the translation. 

The client computers 12, 14, 16 each contain a network 
interface 52a, 52b, 52c for communicating with the network 10, 
a storage subsystem 53a, 53b, 53c, and a processor 54a, 54b, 
54c for executing software stored within the storage 
subsystem. The software sends and receives data over the 
network through a network system 56a, 56b, 56c and the network 
interface 52a, 52b, 52c. Policy client software 58a, 58b, 
58c, stored within the storage subsystem 53a, 53b, 53c 
configures the network system 56a, 56b, 56c using the network 
policy 3 0 transmitted by the server 18. 

Policy client software 58a, 58b, 58c includes a network 
configurator 60a, 60b, 60c that receives the policy 30 from 
the server 18 and uses the policy 3 0 to configure the network 
system 56a, 56b, 56c. Network configurator 60a, 60b, 60c also 
records a timestamp 57a, 57b, 57c associated with the network 
policy 3 0 that was used to configure the network system 56a, 
56b, 56c in the network system. Each network configurator 
60a, 60b, 60c is associated with a particular ""schema'' 62a, 
62b, 62c of the network configuration 32. A network 
configurator may not be able to configure a network interface 
with a policy file that is configured according to a different 
schema from the one that is expected by the network 
configurator. The schemas 62a, 62b, 62c of the network 
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clients are assigned version numbers 64a, 64b, 64c to 
distinguish one schema from another. 

Clients 12, 14 have a policy translator 70a, 70b, which 
uses the translation specification 36 contained within the 
policy 30 to translate the network configuration 32 contained 
within the policy 30 to the version 64a of the schema 62a, 62b 
associated with the client 12, 14. The network configurator 
60a, 60b then configures the network system 56a, 56b using the 
translated policy. Thus, sending the translation 
specification 36 to the clients 12, 14 along with the network 
configuration allows the same policy 30 to be used in 
configuring clients that may have different policy versions. 
Since only one policy 3 0 is maintained on the server, the 
amount of effort and resources needed to maintain the policy 
30 is reduced. Traffic within the network 10 may also be 
reduced by broadcasting the policy 30 to both clients 12, 14 
in the same transmission. 

Client 16 is not equipped with a policy translator. If 
the policy 3 0 does not have the same version 64c as client 16, 
client 16 sends a policy error 71 to the server 18. The 
policy translator 42 on the server 18 then translates the 
policy 30 into the version 64c associated with the client 16 
and transmits the translated policy 72 to the client 16. The 
network configurator 60c of the client 16 uses the translated 
policy 72 to configure the network system 56c. Thus the 
policy 30 can be used with a client 16 that is not equipped to 
translate the policy. 

The policy 3 0 may, for example, be represented in a tag- 
based language such as the extensible Markup Language (XML) , 
HyperText Markup Language (HTML) , or Standard Generalized 
Markup Language (SGML) . The invention will be described with 
reference to an implementation where the policy is represented 
as an XML file with the translation specification being 
represented in an extensible Stylesheet Language (XSL) file. 
The policy translators 40, 70a, 70b are extensible Stylesheet 
language translators (XSLT) . XML and XSL are document 
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formatting and translating languages promulgated by the World 
Wide Web Consortium (W3C) . XSL translators are easily- 
available because XSL is used in many different applications. 
For example, the XSL translator included in Internet Explorer 
by Microsoft Inc. may be used as a policy translator 40, 70a, 
70b. 

As shown in FIG. 2, a network policy 30 specifies the 
version 34 of a schema to which the policy 3 0 conforms and a 
timestamp 35 indicating the creation time of the policy. 
Policy 30 conforms to a schema version 1.1. Policy 30 has 
network configuration data 32 for configuring network systems 
56a, 56b, 56c (FIG. 1) of client computers. Network 
configuration data 32 includes network data encryption 
settings 90 that network systems 56a, 56b, 56c (FIG. 1) may 
use when communicating with another computer. The network 
systems 56a, 56b, 56c of a client computer 12, 14, 16 
configured according to the policy 3 0 proposes a first network 
setting 90a as an encryption setting for communication between 
the client computer 12, 14, 16 and another computer. If the 
first setting 90a is unacceptable to the other computer, the 
network system 56a, 56b, 56c propose a second setting 90b to 
the other computer. The first setting 90a proposes a pre- 
shared 92a authentication method with a DES 94a cipher 
algorithm, an iyiD5 hash algorithm 96a and a group identity 98a 
of DH768. The second setting 90b proposes a ""DSS signatures*' 
92b authentication method with a ""Rjindael** 94b cipher 
algorithm, an SHA-1 hash algorithm 96b and a group identity 
98b of DH1024. 

As shown in FIG. 3, the schema 100 for the policy 30 
(FIG. 2) lists the requirements 101 for the attributes of a 
network-setting proposal in the policy 30. According to the 
schema, an ID 102 is required 104 for each proposal. A 
cipher algorithm 108 selected from ""3DES,'» ""DES,'' ""IDEA," 
""Blowf ish, " ""RC5, " ""CAST, " and ""Rjindael" 110 is also 
required. A hash algorithm 114, a Group ID 116, and an 
authentication method 118 respectively selected from lists 
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120, 122, and 124 are also required in the network setting 
proposal. Schema 100 specifies an arrangement of a version 
""1.1* • policy file that can be used by the network 
configurator 60a, 60b, 60c. A network configurator may not be 
5 able to configure a network system with a policy file that 
does not conform to the schema of the network configurator. 

As shown in FIG, 4, an older schema 130 associated with 
version ""1.0'* network policies does not include the 
""Rjindael" algorithm 94b of policy 30 (FIG. 2) in the list 
10 132 of cipher algorithms 134. Consequently, a network 

configurator associated with the older schema 13 0 cannot 
configure a network system using policy 30. 
kg As shown in FIG. 5A, an XSL translation specification 36 

^ (see also FIG. 1) may be used to translate policy 30 to an 

? 15 older version ""1.0'' which conforms to the older schema 130, 
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iU The specification includes a set 142 of statements that 

replace instances of the ""Rjindael" cipher algorithm with the 

5 ""3DES'' algorithm, which is defined in the older schema 130, 

A statement 142a in the set 142 directs a policy translator to 

I^j20 check whether a policy has ""Rjindael'' defined as a cipher 

algorithm and another statement 142b directs policy translator 

f=s to change the cipher algorithm to change the cipher algorithm 

from ""Rjindael'' to ""3DES.'' Thus the specification 36 
directs a policy translator to translate a policy from version 
25 1.1 to version 1.0. A statement 146 directs the policy 

translator to change the policy so that it reflects the older 
schema version 1.0. 

FIG. 5B shows the translated policy 72 resulting from 
translating policy 30 (FIG. 2) based on specification 36. As 
30 shown in FIG. 5B, the version number 150 has been changed from 
""1,1'' to ""1,0" and the cipher algorithm 160 has been 
changed from ""Rjindael" to ""3DES-'' However, the timestamp 
35 of the policy 72 has not been changed because the 
translation process does not affect the creation date of the 
35 policy. The translated policy 72 may be used by clients 12, 
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14, 16 (FIG 1) that require a policy that conforms to the 
schema 130 of FIG. 4. 

As shown in FIG. 6, the server 18 begins the process of 
configuring the clients 12, 14, 16 by broadcasting (600) the 
5 network policy 30 on the network 10, so that the policy 30 is 
received by all the clients 12, 14, 16. By sending the policy 
30 to the clients 12, 14, 16 in a single transmission, the 
server reduces the network traffic needed to configure the 
clients. The server 18 then checks (602) whether a policy 
10 error 71 has been received from any of the client computers 
12, 14, 16. If a policy error 71 has not been received, the 
server 18 continues to wait for an error 71. 

Otherwise the server 18 determines (604) the address of 

]y the client computer 16 that sent the policy error 71 from the 

P 

15 information contained within the policy error. The server 18 

W also extracts (606) the version 64c of the schema- 62c of the 

'2 client from the information contained within the policy error 

5 71. Upon extracting the version 64c, the policy translator 40 

™ on the server 18 translates (608) the network configuration 32 

W 

y 20 of the policy 30 to the version 64c using the translation 
IZ specification 36 to produce a translated policy 72, The 

Q server transmits (610) the translated policy 72 to the client 

computer 16 and stops the process. 

As shown in FIG. 7A, the process of configuring a client 
25 12, 14 that includes a policy translator 70a, 70b begins when 
the client 12, 14 receives (700) a policy 30 from the server 
18. The client 12, 14 extracts (701) the timestamp 35 from 
the policy 30 and checks (702) whether the timestamp 35 is 
greater than the timestamp 57a, 57b of a network policy that 
30 was previously used to configure the network systems 56a, 56b 
of the clients. A greater timestamp 35 indicates that the 
policy 30 was created more recently than the policy that was 
previously used to configure the network systems 56a, 56b of 
the clients. If the timestamp 35 is not greater, the client 
35 12, 14, terminates the configuration process. 
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otherwise, if the timestamp 35 is greater, the client 12, 
14 extracts (703) a schema version 34 from the policy 30 and 
checks (704) if the extracted schema version 34 is the same as 
the version 64a, 64b associated with the client 12, 14. If 
5 the extracted schema version 34 is the same as the version 
64a, 64b of the client 12, 14, the network configurator 60a, 
60b of the client 12, 14 configures (710) the network system 
56a, 56b of the client using the policy 30. 

Otherwise, if the extracted schema version 34 is not the 
10 same as the version 64a, 64b of the client 12, 14, the policy 
client 58a, 58b extracts (706) the translation specification 
36 from the policy 30 and translates (708) the network 
configuration 32 of the policy 3 0 using the extracted 
specification 36. The network configurator 60a, 60b of the 
15 client 12, 14 then configures (710) the network system 56a, 
W 56b of the client using the translated policy. 

]S As shown in FIG. 7B, the process of configuring a client 

3 16 that does not have a policy translator also begins when the 

IZ, . . client 16 receives (749) a policy 30 from the server 18. The 
|y 20 client extracts (750) a timestamp 35 from the policy 30, and 
l2 checks (751) whether the timestamp 35 is greater than the 

£3 timestamp 57c of a network policy that was previously used to 

configure the network systems 56c of the client 16. If the 
timestamp 35 is not greater, the client 16 terminates the 
25 process. 

Otherwise, if the timestamp 35 is greater, the client 16 
extracts (752) a schema version 34 from the policy 30 and 
checks (754) if the extracted schema version 34 is the same as 
the version 64c associated with the client 16. If the 

30 extracted schema version 34 is the same as the version 64c of 
the client 16, the network configurator 60c of the client 16 
configures (760) the network system 56c of the client using 
the policy 30 and terminates the process. 

Otherwise, if the extracted schema version 34 is not the 

35 same as the version 64c of the client 16, the client 16 waits 
(756) for a predetermined waiting period and then checks (758) 
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whether a translated policy 72 has been received from the 
seirver 18. By waiting for the predetermined period, the 
client 16, can receive a translated policy that was broadcast . 
or transmitted (610 FIG. 6) from the server to another client 
5 (not shown) which also does not have a policy translator. The 
different clients are configured to wait for different 
predetermined periods so that client computers with longer 
waiting periods can configure their network systems with 
translated policies which are sent by the server in response 
10 to policy errors from clients with shorter waiting periods. 
This reduces the number of policy errors and translated 
policies sent over the network, thereby reducing the network 
traffic - 

If a translated policy 72 has not been received, the 
> 15 policy client 58c sends (759) a policy error 71 to the server 
ly 18 and then checks (758) if a translated policy has been 

received. Otherwise, if a translated policy 72 has been 



3 received, the client 16 extracts 750 a timestamp from the 
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translated policy and repeats the process (751-760) described 



N other embodiments are within the scope of the following 

claims. For example, the policy 30 and its translation 
specification 36 may not be sent in a single file. Instead, 
the policy and the specification may be sent in two separate 
25 files, allowing the same specification 36 to be used with two 
different policies 30. The server 18 may be configured to 
transmit the translated policy 72 to a single client 16 
instead of broadcasting the translated policy 72 to multiple 
clients in the network 10. In such a single re- transmission 
30 network, the configuration process (FIG. 7B) for a client 16 
that does not have a policy translator would not include 
waiting (756) for a delay time before sending (759) a policy 
error. 
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